Cloud Security Implications for Financial Services
|
|
- Milo Cummings
- 5 years ago
- Views:
Transcription
1 Cloud Security Implications for Financial Services 2017 Avanade Inc. All rights reserved. 2
2 Introduction Growing Adoption of the Public Cloud Businesses in nearly every industry are rapidly adopting cloud computing as a vital part of their IT operations and a path to divesting their expenditures in server hardware by With greater flexibility, ease of upgrade, and low capital investment requirements, the public cloud makes it easier for organizations to implement newer, more competitive computing tools, like mobile solutions, real-time data analysis, and the latest application innovations. In addition, organizations that have inherited legacy systems through acquisition have found moving to the cloud to be more cost-effective and more secure than keeping older systems up-to-date. As a result, while the financial services industry is still in the early stages of moving to the cloud, most organizations do have a cloud strategy, usually a mix of on-premises (on-prem), private, and public cloud infrastructure. Fear, uncertainty, and doubt, however, continue to plague financial organizations looking to make the move to the public cloud. While some financial services firms continue to maintain an on-prem or private cloud only approach, due to security and compliance concerns, overall confidence in the public cloud has been rapidly growing. Continuous security improvement in the public cloud has driven more businesses to migrate their processes to the public cloud to gain a cost and operational advantage over their competitors. Furthermore, public cloud service providers are rapidly meeting global compliance requirements, making a move to the public cloud a more secure decision. Moreover, with the public cloud s economies of scale, protections built to meet the needs of one constituency become part of the of the shared platform. For example, for multiple companies sharing cloud server space for their functions, when malware is found in an attachment from one tenant, it can be tagged and prevented from affecting other tenants sharing the compute resource. In the public cloud, there is an opportunity for community benefit through shared innovation, security upgrades, and lessons learned. Problem: Public Cloud Security and Compliance The questions many financial services organizations face when considering moving to the cloud are: Will the public cloud be secure enough for my operations? and Can the public cloud meet my worldwide compliance requirements? There are no regulations that prevent financial services organizations from moving to the cloud, and, in fact, there are cloud solutions that help companies meet regulatory requirements. For example, Microsoft Azure is compliant across many financial regulations to include Center for Financial Industry Information Systems (FISC), Payment Card Industry Data Security Standards (PCI DSS), and Service Organization Controls (SOC) 1, 2 and 3. Microsoft has leveraged its decades-long experience in enterprise software to build a secure public cloud platform. Microsoft Azure has gone through security hardening by continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of services and data. A public cloud solution, like Microsoft Azure, can be more secure than private cloud or on-prem installations. Security in the public cloud is a shared responsibility and follows a shared security model, which means clients have an important role to play in public cloud security. While Microsoft Azure provides security for the overall global cloud infrastructure and foundational services in the public cloud, clients still need to take steps to: Secure customer data and content, Azure environment, Azure Accounts, Access Controls and Network Configuration Ensure proper configuration of virtual machines to prevent attacks Turn on data collection in the Azure Portal to allow logging and monitoring and enable the Intrusion Prevention System (IPS) to defend against network and application threats Configure properly the Host Firewall
3 Microsoft Azure reduces vulnerabilities to breaches in software by implementing the Microsoft Security Development Lifecycle (SDL), a mandatory software security assurance process followed by Microsoft and its partners. Microsoft also follows the Microsoft Operations Security Assurance (OSA) framework to manage risk in online and cloud services, and implements security controls from both the National Institute of Standards and Technology (NIST) and International Standards Organization (ISO) 27001:2013. Shared Security Model While Microsoft Azure secures an organization s overall global cloud infrastructure and foundational services in the public cloud (see sections in blue in the chart below), clients will need to secure their customer data and content, Azure environment, Azure Accounts, Access Controls, and Network Configuration. Clients will also need to ensure the proper configuration of virtual machines to prevent attacks. In addition, to defend against network and application threats, clients must make sure that data collection is turned on in the Azure Portal to allow logging and monitoring to take place, as well as ensuring that Intrusion Prevention System (IPS) & the Host Firewall are property configured. This is where Avanade Managed Services (AMS) comes into to play. Avanade has the deep Microsoft technology stack expertise to help clients configure Active Directory Federated Services in the cloud, Azure Rights Management Services (RMS), as well as network, firewall and client side and service side encryption. Avanade also offers the Microsoft Azure community benefit that comes with having clients with more stringent security requirements than most other companies. Over the last few years, major cloud service providers have implemented significant security improvements that create a common denominator effect that benefits all clients looking to move to the public cloud platform. Also, cloud security partners such as Avanade provide additional managed security solutions and services on public cloud platforms such as Azure, such as the latest security technologies and security as a Service (SaaS) offerings. Figure 1-Shared Security Model
4 Regulations Impacting Financial Services Financial services regulations address a wide range of concerns, including privacy, disclosure, fraud prevention, anti-money laundering, anti-terrorism, anti-usury lending and anti-lending discrimination. It is a complex landscape due to the number of institutions around the world that financial services regulations, especially in the U.S., where laws are put in place not only by the federal government, but also at the state and city levels. Primary Regulations That Impact Financial Services Companies Country Regulation Areas covered/requirements Cloud security considerations U.S. Payment Card Industry Data Security Standards (PCI DSS) All organizations that accept, acquire, transmit, process or store cardholder data must safeguard all sensitive customer information. U.S. Sarbanes-Oxley (SOX) Accountability for financial reporting and governance; quick reporting of compromised sensitive data U.S. Gramm-Leach-Bliley Act (GLB, GLBA, or the Financial Services Modernization Act) Applies to US financial institutions and governs the handling of non-public personal information (customer financial records and other personal information). Verify that contracts are well-written, expectations are set, and nested 3rd-party relationships (sub-vendors) are identified and made aware of their obligations. Implement controls to protect in-scope data (such as encryption for data at rest); access controls, decryption for only those authorized to see financial information, monitoring logs, and validated incident response processes.
5 Other Regulations and Guidelines to be Aware Of Country Regulation Areas Covered/Requirements U.S. Federal Deposit Insurance Act section 36 U.S. National Credit Union Administration rules and regulations Early Identification of Needed Improvements in Financial Management Include the Federal Credit Union Act which governs the coverage and terms of insured accounts at all federally insured credit unions U.S. Patriot Act Section 311: Special Measures for Jurisdictions, Financial Institutions, or International Transactions of Primary Money Laundering Concern U.S. Regulation P (1999) Financial institutions must inform a consumer of their policy regarding personal information and must provide an "opt-out" before disclosing data to a non-affiliated third party. U.S. Know your customers rules and Bank Secrecy Act (1970) Financial institutions must ensure customer financial activities are consistent with their business activities, and report suspect activities to the government. U.S. State data breach notification laws California enacted the first in 2003, and now there are 47 states, as well as Puerto Rico, Guam, and the Virgin Islands, that have passed their own data breach notification requirements. California and other states define personal information to include addresses and passwords. U.K. UK Data Protection Act Data breach disclosure law Japan Korea Financial instrument and Exchange Act (Japan) JSOX Personal Information Protection Act Rules for internal controls related to financial reporting Data breach disclosure law Other Regulations and Guidelines to be Aware Of Country Regulation Areas Covered/Requirements Australia Hong Kong Singapore Privacy Amendment (Notifiable Data Breaches) Act 2016 Amends the Privacy Act of 1988 and takes effect on February 22, 2018 Hong Kong Monetary Authroity (HKMA) Monetary Authority of Singapore (MAS) Data breach disclosure law requires a company to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches that are likely to result in serious harm. Provides guideines for: Data security (Personal Data Privacy Ordinance [PDPO]) Incident handling and reporting Cybersecurity ( Cybersecurity Fortification Initiative [CFI]) Provides guidelines: Notify MAS of security breaches Assess and regularly audit 3rd-party service providers Ensure cloud service provider: (1) can clearly identify and segregate customer data; and (2) has robust access controls to protect customer information
6 Security Vulnerabilities in the Financial Services Industry In 2016, the financial services industry reported a total of 33 data breaches, impacting over 1 million records. Security Scorecord, a cybersecurity and risk monitoring platform, noted that as financial institutions have grown through acquisition, they also have inherited legacy IT systems with vulnerabilities that remain in place for years. In its 2016 report, Security Scorecard found that 1 : The U.S. Commercial bank with the lowest security posture is one of the top 10 largest financial service organizations in the U.S (by revenue). Only one of the top 10 largest banks received an overall 'A' grade. Ninety-five percent of the top 20 U.S. commercial banks (by revenue) have a network security grade of 'C' or below. Seventy-five percent of the top 20 U.S. commercial banks (by revenue) are infected with malware. Nearly 1 out of 5 financial institutions use an service provider with severe security vulnerabilities. Security Scorecard looked at 361 companies that had experienced security breaches in Of those, more than 10% represented the financial services industry, where common areas of vulnerability were network security, due to challenges in auditing and updating large infrastructures, and timely security patches, usually required by legacy systems no longer supported by application providers. leading target of cybercriminals. Unpatched systems have been a popular target for cybercriminals. Some of the Largest Data Breaches to Impact the Financial Services Industry: Year Operation Event Estimated total loss 2016 Asian central bank Cybercriminals installed credential-stealing malware to obtain log-in credentials to the Society for Worldwide Interbank Financial Telecommunications (SWIFT) Network Major U.S. bank A cyber-attack compromised the financial and personal information of 76 million households and 7 million small businesses Leading retail payment technology company A cyber-attack on the company s North American servers enabled criminals to steal personal data from 1.5 million credit card accounts. $81 million $1 billion (Protection Group International s estimate of total related costs) $90 million 1 ;
7 Maintaining Data Security and Regulatory Compliance Because of the number of regulations affecting the industry, as well as the volume of personal information and money involved, maintaining data privacy, security and compliance is a major responsibility for financial services organizations. There are, however, effective steps that organizations can take to protect their systems and data both on-premises and in the cloud as well as operate within the law: Data Challenge Security Early detection (of unusual activity or unauthorized data access) System vulnerability Human error Mitigation Approach Data encryption of the appropriate strength for the sensitivity of the data it looks to protect against data loss and/or theft Consider Scenarios for o Data in transit o Data at rest ISO and the NIST 800 series l frameworks Penetration testing and regular key control validations Online account access 2-factor authentication Security Event and Incident Management(SEIM) system with audit trail capabilities that record and analyze instances of different categories of data accessed (what, when and who) and changes to information Incident Response processes (people and governance) Forensics capabilities (technical analysis of reviewing evidence of a potential data breach) Risk analysis/assessment with regular review and system audits Routine audits of user access (continued need for access rights) Security and Privacy by Design when developing new systems (SDLC, tollgates/milestone validations) Regularly recurring penetration testing and code review for top systems (existing systems) Map and Inventory Data (collection point, storage locations and transfer to upstream and downstream systems) Employee training (to prevent gossip, unintentional data disclosures, loss, deviation from standard procedures, phishing and social engineering)
8 Avanade s Approach to Security and Compliance Avanade understands that financial services companies have a lot to consider when moving to the cloud. With in-depth experience providing a variety of cloud solutions, Avanade helps organizations realize the benefits of these programs all while protecting data and maintaining compliance. Moreover, working with its partners, Accenture and Microsoft, Avanade offers an unmatched combination of industry and technical expertise. In fact, one cloud service platform that is a great fit for financial services companies is Microsoft Azure, designed to meet high security standards. Avanade is a Microsoft Gold Certified Azure Partner. Avanade helps organizations move their IT operations to the cloud through migration, implementation and managed services, investing time to fully understand each client s unique requirements. The company assigns every client engagement to the company s Client Data Protection (CDP) program, built upon the following principles: Senior-level oversight responsibility for all engagements where client data is accessible Clear communication and documentation of all CDP requirements Establishment of a business associate agreement (BAA) to allow proper handling of all client Personally Identifiable Information (PII) Mandatory CDP HIPAA awareness training for all resources tasked with maintaining any aspect of a client solution, in addition to training specific to the individual client requirements Required controls for secure handling of client data while in Avanade s custody Service-specific controls tied to vulnerabilities inherent to unique types of work, such as the needs of financial services clients Technology controls deployed to enforce mandatory baseline protection mechanisms Tools, processes and subject matter specialist support for project teams Standardized data protection tools and templates Program execution begins with a risk assessment to determine each client's risk in relation to their precise project requirements. The second mitigation phase uses an implementation plan consisting of up to 24 control families operated by the project team. Avanade requires that a CDP plan must be established before any service delivery tasks begin, and client stakeholders, such as business owners and representatives from the Information Security team, and the Avanade service delivery team must adhere to the plan for the life of the engagement. Plan execution is periodically reviewed by independent internal teams to gauge both compliance and the effectiveness of the controls to manage the client s risk. Any identified gaps are tracked and escalated to the assigned Client Data Protection Executive (CDPE) for corrective action. Avanade s knowledge of financial services regulations around the world and its experience helping clients protect their systems and information have enabled the company to create a library of best-practices and effective approaches to security. Avanade knows, however, that every client is different, and each has its own set of requirements and challenges. That is why Avanade makes sure it understands these elements during the assessment process so that the company can develop and put in place the right security controls to fit a client s individual needs. Moreover, Avanade continues to reassess those needs throughout delivery, ensuring that the company provides services that its clients can count on to help keep data safe, systems protected, and their organizations regulatory compliant.
9 About Avanade Avanade is the leading provider of innovative digital and cloud-enabling services, business solutions and design-led experiences, delivered through the power of people and the Microsoft ecosystem. Majority owned by Accenture, Avanade was founded in 2000 by Accenture LLP and Microsoft Corporation and has 30,000 professionals in 24 countries. Visit us at Avanade Inc. All rights reserved. The Avanade name and logo are registered trademarks in the U.S. and other countries. Other brand and product names are trademarks of their respective owners. North America Seattle Phone South America Sao Paulo Africa Pretoria Phone Asia-Pacific Australia Phone Asia-Pacific@avanade.com Europe London Phone Europe@avanade.com
Avanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationCybersecurity Conference Presentation North Bay Business Journal. September 27, 2016
Cybersecurity Conference Presentation North Bay Business Journal September 27, 2016 1 PRESENTER Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCI QSA Partner Information Security and Infrastructure Practice
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationPCI DSS and the VNC SDK
RealVNC Limited 2016. 1 What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) compliance is mandated by many major credit card companies, including Visa, MasterCard, American Express,
More informationData Privacy and Cybersecurity
Data Privacy and Cybersecurity Key Contacts Timothy C. Blank Boston +1 617 728 7154 Dr. Olaf Fasshauer National Munich +49 89 21 21 63 28 Joshua H. Rawson New York +1 212 698 3862 Translate Page In an
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationIT Audit Process Prof. Liang Yao Week Two IT Audit Function
Week Two IT Audit Function Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html
More informationIBM Internet Security Systems October Market Intelligence Brief
IBM Internet Security Systems October 2007 Market Intelligence Brief Page 1 Contents 1 All About AIX : Security for IBM AIX 1 AIX Adoption Rates 2 Security Benefits within AIX 3 Benefits of RealSecure
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationCRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised
CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised TUESDAY, MAY 24, 2011 Alston & Bird LLP PricewaterhouseCoopers Silverpop www.pwc.com Data
More informationService. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution
Service SM Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution Product Protecting sensitive data is critical to being
More informationGlobal Security Consulting Services, compliancy and risk asessment services
Global Security Consulting Services, compliancy and risk asessment services Introduced by Nadine Dereza Presented by Suheil Shahryar Director of Global Security Consulting Today s Business Environment
More informationComplying with PCI DSS 3.0
New PCI DSS standards are designed to help organizations keep credit card information secure, but can cause expensive implementation challenges. The F5 PCI DSS 3.0 solution allows organizations to protect
More informationPCI DSS and VNC Connect
VNC Connect security whitepaper PCI DSS and VNC Connect Version 1.2 VNC Connect security whitepaper Contents What is PCI DSS?... 3 How does VNC Connect enable PCI compliance?... 4 Build and maintain a
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationThe Impact of Cybersecurity, Data Privacy and Social Media
Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media Security Incident tprevention and Response: Customizing i a Formula for Results Joseph hm. Ah Asher Marcus
More informationControlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:
Page 1 of 6 I. Common Principles and Approaches to Privacy A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information
More informationAKAMAI CLOUD SECURITY SOLUTIONS
AKAMAI CLOUD SECURITY SOLUTIONS Whether you sell to customers over the web, operate data centers around the world or in the cloud, or support employees on the road, you rely on the Internet to keep your
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationSecurity Breaches: How to Prepare and Respond
Security Breaches: How to Prepare and Respond BIOS SARAH A. SARGENT Sarah is a CIPP/US- and CIPP/E-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. She specializes in cybersecurity and
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationPROFESSIONAL SERVICES (Solution Brief)
(Solution Brief) The most effective way for organizations to reduce the cost of maintaining enterprise security and improve security postures is to automate and optimize information security. Vanguard
More informationAZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments
AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationSecuring Your Most Sensitive Data
Software-Defined Access Securing Your Most Sensitive Data Company Overview Digital Growth Means Digital Threats Digital technologies offer organizations unprecedented opportunities to innovate their way
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationBy 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today. 1
By 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today. 1 The question is no longer: How do I move to the cloud? Instead, it s Now that I m in the cloud, how do I make sure
More informationClearing the Path to PCI DSS Version 2.0 Compliance
White Paper Secure Configuration Manager Sentinel Change Guardian Clearing the Path to PCI DSS Version 2.0 Compliance Table of Contents Streamlining Processes for Protecting Cardholder Data... 1 PCI DSS
More informationHave breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?
The financial sector struggles with data leakage in part because many such organizations rely on dinosaurs - security solutions that struggle to protect data outside the corporate network. These orgs also
More informationSecurity Breach Notification Reflections on the U.S. Experience
Compliance & Regulatory Matters Data Privacy Security Breach Notification Reflections on the U.S. Experience Bojana Bellamy Director of Data Privacy Accenture Brief History of Breach Notification Laws
More informationOverview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview
PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card
More informationCipherCloud CASB+ Connector for ServiceNow
ServiceNow CASB+ Connector CipherCloud CASB+ Connector for ServiceNow The CipherCloud CASB+ Connector for ServiceNow enables the full suite of CipherCloud CASB+ capabilities, in addition to field-level
More informationSQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY
SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY THE INTERSECTION OF COMPLIANCE AND DIGITAL DATA Organizations of all sizes and shapes must comply with government and industry regulations.
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationCONSIDERATIONS BEFORE MOVING TO THE CLOUD
CONSIDERATIONS BEFORE MOVING TO THE CLOUD 44 Bearfoot Road, Suite 1A Northborough, MA 01532 ceservices.com 508-919-8280 info@ceservices.com Contents Introduction..3 Organizational Compliance Related to
More informationGLBA, information security and incident response a compliance perspective
GLBA, information security and incident response a compliance perspective Introductions How many have experience with IT? How many have responsibilities involving IT? How many have responsibilities involving
More informationIBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.
IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats. Enhancing cost to serve and pricing maturity Keeping up with quickly evolving ` Internet threats
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationEvolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa
Evolution of Cyber Security Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa Nasser.Kettani@microsoft.com @nkettani MODERN SECURITY THREATS THERE ARE TWO KINDS OF BIG COMPANIES:
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationRun the business. Not the risks.
Run the business. Not the risks. RISK-RESILIENCE FOR THE DIGITAL BUSINESS Cyber-attacks are a known risk to business. Today, with enterprises becoming pervasively digital, these risks have grown multifold.
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationOracle Database Vault
An Oracle White Paper July 2009 Oracle Database Vault Introduction... 3 Oracle Database Vault... 3 Oracle Database Vault and Regulations... 4 Oracle Database Vault Realms... 5 Oracle Database Vault Command
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationData Security: Public Contracts and the Cloud
Data Security: Public Contracts and the Cloud July 27, 2012 ABA Public Contract Law Section, State and Local Division Ieuan Mahony Holland & Knight ieuan.mahony@hklaw.com Roadmap Why is security a concern?
More informationThis Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry
This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry At a Glance With offices across the country, this gaming company has been in operation for decades.
More informationTRUE SECURITY-AS-A-SERVICE
TRUE SECURITY-AS-A-SERVICE To effectively defend against today s cybercriminals, organizations must look at ways to expand their ability to secure and maintain compliance across their evolving IT infrastructure.
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationSIEMLESS THREAT DETECTION FOR AWS
SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting
More informationWorkday s Robust Privacy Program
Workday s Robust Privacy Program Workday s Robust Privacy Program Introduction Workday is a leading provider of enterprise cloud applications for human resources and finance. Founded in 2005 by Dave Duffield
More informationIBM Security Services Overview
Services Overview Massimo Nardone Senior Lead IT Security Architect Global Technology Services, IBM Internet Security Systems massimo.nardone@fi.ibm.com THE VEHICLE THE SKILL THE SOLUTION Today s Business
More informationΟ ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος
Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος Providing clarity and consistency for the protection of personal data The General
More informationEscaping PCI purgatory.
Security April 2008 Escaping PCI purgatory. Compliance roadblocks and stories of real-world successes Page 2 Contents 2 Executive summary 2 Navigating the road to PCI DSS compliance 3 Getting unstuck 6
More informationWhat To Do When Your Data Winds Up Where It Shouldn t
What To Do When Your Data Winds Up Where It Shouldn t Don M. Blumenthal Defcon 16 Las Vegas, Nevada August 9, 2008 Disclaimer Opinions expressed are my own and intended for informational purposes. They
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationHow do you decide what s best for you?
How do you decide what s best for you? Experience Transparency Leadership Commitment Cost reduction Security Trustworthiness Credibility Confidence Reliability Compliance Privacy Expertise Flexibility
More informationEU General Data Protection Regulation (GDPR) Achieving compliance
EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 12.16 EB7178 DATA SECURITY Table of Contents 2 Data Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationSafeguards on Personal Data Privacy.
Safeguards on Personal Data Privacy. Peter Koo Partner, Enterprise Risk Services Deloitte Touche Tohmatsu Maverick Tam Associate Director, Enterprise Risk Services Deloitte Touche Tohmatsu Deloitte ERS
More informationeguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments
eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments Today s PCI compliance landscape is one of continuing change and scrutiny. Given the number
More informationBackground FAST FACTS
Background Terra Verde was founded in 2008 by cybersecurity, risk and compliance executives. The founders believed that the market needed a company that was focused on using security, risk and compliance
More informationDIGITAL TRUST AT THE CORE
DIGITAL TRUST SECURING DATA AT THE CORE MAKING FINANCIAL SERVICES SECURE FOR WHEN, NOT IF, YOUR COMPANY IS ATTACKED Average total cost of a data breach in 2015 $3.79M 1 2 Securing Data at the Core Financial
More informationWhite Paper. How Organizations. Can Use The Cloud In Confidence. In business for people.
White Paper How Organizations Can Use The Cloud In Confidence In business for people. Safety in the Cloud According to a recent Forrester Research study, spending on public cloud services is expected to
More informationVANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER
VANGUARD INSURANCE INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationWHITE PAPERS. INSURANCE INDUSTRY (White Paper)
(White Paper) Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to ensure enterprise compliance
More informationSWIFT Customer Security Programme
www.pwc.ch/cybersecurity SWIFT Customer Security Programme Mandatory controls: what you have to do to protect your local SWIFT infrastructures SWIFT Customer Security Programme (CSP) The growing number
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationThis presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
Privacy, Trust, and the General Data Protection Regulation (GDPR) Robertas Tamosaitis Microsoft Business Solution Sales Specialist E-mail: rtamosa@microsoft.com This presentation is intended to provide
More informationBuilding Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus
Building Cloud Trust Ioannis Stavrinides Technical Evangelist MS Cyprus If you re resisting the cloud because of security concerns, you re running out of excuses. The question is no longer: How do I move
More informationin PCI Regulated Environments
in PCI Regulated Environments JULY, 2018 PCI COMPLIANCE If your business accepts payments via credit, debit, or pre-paid cards, you are required to comply with the security requirements of the Payment
More informationAUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE
AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE Table of Contents Dedicated Geo-Redundant Data Center Infrastructure 02 SSAE 16 / SAS 70 and SOC2 Audits 03 Logical Access Security 03 Dedicated
More informationCustomer Security Programme (CSP)
Customer Security Programme (CSP) ACSDA General Assembly Overview Thomas Trépanier April - 2017 Legal Notices: COPYRIGHT SWIFT 2017 - All rights reserved. You may copy this document within your organisation.
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationAmit Panchal Enterprise Technology Strategist
Amit Panchal Enterprise Technology Strategist amitp@microsoft.com Who is Amit Panchal IT Industry Personal Education Executive Experience MORE DEVICES I love my PC, my phone, and my slate. MORE MOBILE
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationJeff Wilbur VP Marketing Iconix
2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online
More informationManaging Cybersecurity Risk
Managing Cybersecurity Risk Maureen Brundage Andy Roth August 9, 2016 Managing Cybersecurity Risk Cybersecurity: The Current Legal and Regulatory Environment Cybersecurity Governance: Considerations for
More information